On Tue, Nov 14, 2006 at 03:01:24PM -0500, Gregory Maxwell wrote:
On 11/14/06, Timwi <timwi(a)gmx.net> wrote:
That's the wrong question. A better set of
questions would be:
* Does every project have at least one sysop/bureaucrat who can spot
"evil" Java resources?
* Does every sysop/bureaucrat who does not have this skill, acknowledge
that they don't and consequently leave the approval queue alone? (from
your message, it appears that you do, so you're fine)
It's not a question of skill:
No matter how skilled no human can tell a malicious java app in binary
form from a good java app.
Only through a careful audit of the source code could we expect to
have any confidence... and thats a question of both time and skill...
. . . and at that point, you're back to wondering if the
sysops/bureaucrats who don't have the skill will leave the approval
queue alone. Since this is a preventative measure, and not an active
measure, it introduces problems later down the road, because the real
question isn't "Does every sysop/bureaucrat who does not have the skill
acknowledge that they don't and consequently leave the approval queue
alone?" Instead, the question is:
"Will every sysop/bureaucrat forevermore who does not have the skill
be reasonably expected that they don't have the skill and consequently
leave the approval queue alone, or do we think there's a nontrivial
likelihood that new sysops/bureaucrats will potentially become a
problem in this regard in the future?"
Unfortunately, if you want something approaching complete safety in this
regard, I don't think you're going to get it. I guess it all depends on
how much you're willing to risk it.
--
CCD CopyWrite Chad Perrin [
http://ccd.apotheon.org ]
"The first rule of magic is simple. Don't waste your time waving your
hands and hopping when a rock or a club will do." - McCloctnick the Lucid